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Abstract 

In this position paper we briefly review the development history of automated inductive the- 
orem proving and computer-assisted mathematical induction. We think that the current low 
expectations on progress in this field result from a faulty narrow-scope historical projection. 
Our main motivation is to explain — on an abstract but hopefully sufficiently descriptive 
level — why we believe that future progress in the field is to result from human-orientedness 
and descente infinie. 
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1 Introduction 

1.1 Subject Area 

In this paper we are concerned with 

• automated inductive theorem proving and 

• computer-assisted mathematical induction. 

Both terms refer to the task of doing mathematical induction with the computer. The former term 
puts emphasis on the importance of strong automation support, as found in the classical systems 
Nqthm [15, 16], INKA [7], and Acl2 [56] based on explicit induction. The latter and more 
general term, however, is to denote more human-oriented approaches in addition, as found in 
QuodLibet [10] and other future systems based on descente infinie. Note that we do not believe 
in the usefulness of the extreme representatives of any of the two terms: Neither mere black-box 
automation nor mere proof-checkers can be too useful in mathematical induction. Above that, we 
think that a successful system has to put strong emphasis on both aspects and find a way to be 
both human- and machine-oriented. 

1.2 Expectations and Importance of Future Progress 

A majority of researchers in the area of computer-assisted mathematical induction seem to believe 
that no further progress can be expected in this area within the nearer future. Moreover, recently, 
between two talks at a conference, one of the leading German senior researchers in the field told 
me that he thinks that currently it is hardly possible to get any funding for research on computer- 
assisted mathematical induction. 

Thus, we should ask for possible scientific reasons for the current funding situation. We ought 
to check the justification of the belief that progress in computer-assisted mathematical induction 
is unlikely to occur in the nearer future. 

It is, however, obviously not the case that progress in computer-assisted mathematical in- 
duction is considered to be unimportant. Indeed, progress in computer-assisted mathematical 
induction is in high demand for mathematics assistance systems, for verification of software and 
hardware, and for synthesis of recursive programs. Due to a slow-down in progress of automated 
mathematical induction in the last decade, however, currently there does not seem to be much 
hope among scientists for further progress in the nearer future. 

1.3 A Possible Way to Future Progress — Overall Thesis 

To show a possible way to future progress is the aim of this position paper. Namely, to explain 
why we are confident that descente infinie can be the start to a new breakthrough in computer- 
assisted mathematical induction. 

Together with descente infinie we present our ideas on the importance of human-oriented 
theorem proving, a point of view we have been holding and furthering for more than a dozen 
years [110, 121]. 
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"Human-oriented theorem proving" basically means that — to overcome the current stagna- 
tion — we have to develop paradigms and systems for the synergetic combination and cooperation 
of the human mathematician with its semantical strength and the machine with its computational 
strength. 

Our thesis is that descente infinie is such a paradigm. 

1.4 Organization of this Paper 

The paper organizes as follows. In § 2 we describe the general context where and why mathema- 
tics and mathematicians should win from computers. As the reason for the little hope in progress 
in mathematical induction seems to be a wrong projection from the past into the future, we can- 
not reasonably state what we may hope to achieve by human-orientedness and descente infinie 
(§ 4) and why the two belong together (§ 5) before we have had a short look at the history of 
computer- assisted theorem proving in § 3. Without diving too deep into technical details, after 
presenting descente infinie (§ 6) and explicit induction (§§ 7 and 8), we then support our overall 
thesis of § 1.3 in §§ 9 and 10, and discuss the standard objections in § 11. Finally, we conclude 
in § 12. 



2 Requirements Specification 
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From the ancient Greeks until today, mathematical theories, notions, and proofs are not devel- 
oped the way they are documented. This difference is not only due to the iterative deepening of 
the development and the omission of easily reconstructible parts. Also the global order of pre- 
sentation in publication more often than not differs from the order of development. This results 
in the famous eureka steps, which puzzle the freshmen in mathematics. The difference does not 
only occur in scientific publications where the succinct presentation of results may justify this 
difference, but also for the vast majority of textbooks and lectures where the objective should be 

• to teach how to find proofs, notions, and theorems. 

The conventional natural-language representation of mathematical proofs in advanced theoretical 
journals with its intentional vagueness [115, §6.2] and hidden sophistication can only inform 
highly educated human beings about already found proofs. This conventional representation, 
however — as fascinating as it is as a summit of the ability of the human race to communicate 
deep structural knowledge effectively — does not tell much about the 

• originally applied plans and methods of proof construction 
and does not admit computers 

• to check for soundness and 

• to take over the tedious, error-prone, computational, and boring parts of proofs. 

Obviously, a computer representation that admits the flexibility for and the support of the issues 
of all above items in parallel plus the computation of 

• different conventional natural language presentations tailored to various purposes 

is in great demand and could increase the efficiency of working mathematicians tremendously. 
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3 Short History of Computer- Assisted Theorem Proving 

3.1 Formula Language and Calculi 

Starting with the Cossists and Viete in the IS"" and 16"' century, the formula language of mathe- 
matics and its semantics were adequately and rigorously modeled by the end of the 19* century 
inPeano's ideography [78] andFrege's 35egnpfc^rtft [37]. 

An adequate rigorous representation that supports a working mathematician's theorem prov- 
ing, however, has not been found until today. But already now the formula language of mathema- 
tics and its semantics can provide a powerful interface between human and machine.^ 

The numerous logic calculi developed during the 20* century were mostly designed to satisfy 
merely theoretical criteria, but not to follow the theorem-proving procedures of working mathe- 
maticians. 

An important step toward human-oriented calculi was done by Gerhard Gentzen (1909-1945) 
when he used his structural insights to refine his Natural Deduction calculi (which were close 
to natural-language mathematics) into sequent calculi [40]. These calculi meant a huge progress 
toward an adequate human-oriented representation of a working mathematician's deductive proof 
search. Sequent and tableau calculi capture the reductive (analytic, top-down, backward) reason- 
ing from goals to subgoals directly in the essential calculus rules and the generative (synthetic, 
bottom-up, forward) reasoning from axioms to lemmas can be adequately realized with lemmatiz- 
ing versions of the Cut rule [9, 10, 1 10, 1 13] (cf. Note 10). Based on Gentzen's sequent calculus 
there has been further progress into this direction: Free-variable calculi [35, 71, 113] admit to 
defer commitments until the state of the proof attempt provides sufficient information for a suc- 
cessful choice. Thereby they help the mathematician to follow his proof plans more closely by 
overcoming premature witness decisions forced by Gentzen's original calculus. Indexed formula 
trees [6] admit the mathematician to focus immediately on the crucial proofs steps and defer the 
problems of /3-sequencing and 7-multiplicity [115]. 

3.2 Automation 

Starting in the 1950s, there was great hope to automate theorem proving with the help of com- 
puters and machine-oriented logic calculi. State-of-the-art fully -automated theorem provers of 
today (ArPs, such as Vampire [84] and WaldMeister [17, 67]) represent a summit in the 
history of creative engineering. That ATP systems will never develop into systems that can assist 
a mathematician in his daily work, however, is a general concensus among their developers for 
more than a dozen years now. The reason for this is the following: 

The automatic theorem provers' search spaces are too huge for complete automation 
and completely different from the search spaces of the working mathematicians, who 
therefore can neither interact with these systems, nor transfer their human skills to 
them. 

Note that this does not mean that ATP systems are useless. They already now provide a powerful 
basis for the automation in mathematics assistance systems such as IOMEGA [93]. 
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3.3 Proof Planning 

At the end of the 1980s, the ideas to overcome the approaching dead end in ATP were summarized 
under the keyword proof planning. Beside its human-science aspects [19], the idea of proof 
planning [18, 28] is to add smaller and more human-oriented higher-level search spaces to the 
theorem-proving systems on top of the low level search spaces of the logic calculi. In the 1990s, 
the major proof-plamiing systems Oyster-CI^ [18, 22], Qmega [93], and ACI^ [20] seem 
to have been led astray by the hopes that with these additional levels 

1. the underlying logic calculus could be neglected,^ and, 

2. instead of the working mathematician himself, it would be sufficient to get his proof plans 
to the machine. 



3.4 Alternative Point of View in Proof Planning 

To the contrary of these hopes, we believe that progress in proof planning and computer-assisted 
mathematical theorem proving requires the further development of human-oriented state-of-the- 
art logic calculi, which free the higher levels from unnecessary low-level commitments and admit 
the mathematician to interact directly with the machine, even when the automation of proofs fails 
on the lowest logic level. 

We need both high-level top-down interactive proof development and bottom-up sup- 
port from a state-of-the-art flexible human-oriented calculus with strong automation. 

The neglect of the logic calculus and human-machine interaction is to be overcome in the system 
IsaPlanner [28, 29, 30] and in the new i^MEGA system currently under construction [9] by 
using the standard calculus of ISABELLE/HOL [70, 71] and the new human-oriented calculus of 
CoRe [6], respectively. 

3.5 Conclusion: Human-Oriented Automated Theorem Proving 

The completely automatic generation of a non-trivial proof for a given input conjecture is typically 
not possible today and — contrary to the complete automation chess playing — will probably 
never be. 

Thus, beside some rare exceptions — as the automation of proof search will always fail on the 
lowest logic level from time to time — the only chance for automatic theorem proving to become 
useful for mathematicians is a synergetic interplay between the mathematician and the machine. 

For this interplay, it does not suffice to compute human-oriented representations of machine- 
oriented proof attempts for interaction with a user interface during the proof search. Indeed, 
experience shows that the syntactical problems have to be presented accurately and in their exact 
form. Thus — to give the human user a chance to interact — the calculus itself must be human- 
oriented. 
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4 What Can we Hope to Achieve? And How? 

After all that history of great original expectations and down-slowing progress, what can we 
reasonably hope for the nearer future? 

As described in §3.1 and Note 1, the formula language of mathematics and its semantics 
already now provides a powerful interface between human and machine. But we still have to find 
a representation of mathematical proofs supporting the issues mentioned in § 2, namely: machine 
assistance in and teaching of proof search, proof planning, and theory development; automation 
of tedious, error-prone, computational, and boring parts of proofs and checking for soundness; 
and the computation of various natural language presentations. 

As full automation cannot succeed within the current paradigm, we have to follow the human 
mathematicians, although we do not know much about their procedures and they hardly know 
how to explain them.^ 

The first steps on this way are to give the mathematician the freedom to go his way and let the 
system assist him. Not the other way round as usual! We are convinced of a potential success of 
the following development cycle: 

• In a first step, informal and formal logical calculi and the user interfaces have to provide 
the freedom to use all the required means in a human-oriented design, and then, 

• in a second step, we have to learn the heuristics that admit a feasible proof search from the 
mathematicians; by human learning in the beginning, hopefully by artificial-intelligence 
machine-learning later. 

And the starting point ought to be a human-oriented, machine-oriented, flexible state-of-the-art 
calculus [6, 113] and an administration of proof tasks in a proof data structure [9]. 

5 Why Mathematical Induction? 

In this § 5, we briefly explain why we see an affinity between human-orientedness and mathema- 
tical induction and why this position paper is about both descente infinie and human-orientedness 
in parallel. 

Beside some proof-theoretical peculiarities of mathematical induction that do not really have 
a practical effect,'' mathematical induction is the area of mathematical theorem proving where 
our heuristic knowledge is best. This is the case both for human {descente infinie, cf. § 6) and for 
machine-oriented heuristics {explicit induction, cf. § 7). As these two heuristics are completely 
different in their surface structure and the progress in practical usefulness was quite moderate 
in the last decade, mathematical induction is a good area to look for evidence for our thesis on 
human-orientedness: 

Human-oriented procedures can overcome the current slowdown of progress in 
computer-assisted theorem proving. Their — even compared to machine-oriented 
procedures — huge search spaces can be controlled by heuristics learned from the 
human mathematicians working with advanced systems. 
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6 Descente Infinie 

In everyday mathematical practice of an advanced theoretical journal the frequent inductive ar- 
guments are hardly ever carried out explicitly. Instead, the proof just reads something like "by 
structural induction on n, q.e.d." or "by induction on (x, y) over <, q.e.d." expecting that the 
mathematically educated reader could easily expand the proof if in doubt. In contrast, very dif- 
ficult inductive arguments, sometimes covering several pages, such as the proofs of Hilbert's^ra? 
e-theorem [48, Vol.11] or Gentzen's Hauptsatz [40], or confluence theorems such as the ones 
in [47, 109, 119] still require considerable ingenuity and will be carried out! The experienced 
mathematician engineers his proof roughly according to the following pattern: 

He starts with the conjecture and simplifies it by case analysis. When he realizes 
that the current goal becomes similar to an instance of the conjecture, he applies 

the instantiated conjecture just like a lemma, but keeps in mind that he has actually 
applied an induction hypothesis. Finally, he searches for some well-founded ordering 
in which all the instances of the conjecture he has applied as induction hypotheses 
are smaller than the original conjecture itself. 

The hard tasks of proof by mathematical induction are 

(Hypotheses Task) 

to find the numerous induction hypotheses (as, e.g., in the proof of Gentzen's Hauptsatz on 
Cut-elimination) and 

(Induction-Ordering Task) 

to construct an induction ordering for the proof, i.e. a well-founded ordering that satisfies 
the ordering constraints of all these induction hypotheses in parallel. (For instance, this 
was the hard part in the elimination of the e-formulas in the proof of the 1^' e-theorem in 
[48, Vol. II], and in the proof of the consistency of arithmetic by the £-substitution method 
in [2]). 

The soundness of the above method for engineering hard induction proofs is easily seen when 
the argument is structured as a proof by contradiction, assuming a counterexample. For Pierre 
Fermat's (16077-1665) historic reinvention of the method, it is thus just natural that he developed 
the method itself in terms of assumed counterexamples [12, 26, 33, 68, 116]. He called it 'des- 
cente infinie ou indefinie". Here it is in modem language, very roughly speaking: A proposition 
r can be proved by descente infinie as follows: 



Show that for each assumed counterexample of F there is a smaller counterexample 
ofFw.r.t.a well-founded ordering <, which does not depend on the counterexamples. 
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There is historic evidence on descente infinie being the standard induction method in mathe- 
matics: The first known occurrence of descente infinie in history seems to be the proof of the 
irrationality of the golden number | (1+^/5) by the Pythagorean mathematician Hippasus of 
Metapontum (Italy) in the middle of the 5* century B.C. [38]. Moreover, we find many occur- 
rences of descente infinie in the famous collection "Elements" of Euclid of Alexandria [32]. The 
following eighteen centuries showed a comparatively low level of creativity in mathematical theo- 
rem proving, but after Fermat's reinvention of the Method of Descente Infinie in the middle of the 
17* century, it remained the standard induction method of working mathematicians until today. 



At Fermat's time, natural language was still the predominant tool for expressing terms and equa- 
tions in mathematical writing, and it was too early for a formal axiomatization. Moreover, care- 
fully notice that an axiomatization captures only validity, but in general does neither induce a 
method of proof search nor provide the data structures required to admit both a formal treatment 
and a human-oriented proof search. The formalizable logic part, however, of descente infinie can 
be expressed in what is called the (second-order) Theorem of Noetherian Induction (N), after 
Emmy Noether (1882-1935). This is not to be confused with the Axiom of Structural Induction, 
which is generically given for any inductively defined data structure, such as the Axiom of Struc- 
tural Induction (S) for the natural numbers inductively defined by the constructors zero and 
successor s. Moreover, we need the definition (Wellf (<)) of well-foundedness of a relation <. 

(Wellf(<)) Vg. ( 3x. Q{x) 3m. ( Q{m) A -<3w<m. Q{w) ) ) 

(N) VP. ( v.. P(.) . 3<. ( ^ JJ, ( - ^(") ) 

(S) VP. ( Vx. P{x) <= P(0) A Vy. ( P{s{y)) <= P{y) ) ) 

(natl) Vx. { x^OV 3y. x^s{y) ) 

(nat2) Vx. s(x) ^ 

(nat3) yx,y. {s{x) = s{y) ^ x ^ y) 

Let Wellf (s) denote Wellf(Aa;, y. (s(x) = y)), which implies the well-foundedness of the ordering 
of the natural numbers. The natural numbers can be specified up to isomorphism either by 
(S), (nat2), and (nat3), or else by Wellf(s) and (natl). The first alternative is the traditional 
one, following Dedekind and named after Peano. As the instances for P and < in (N) are often 
still easy to find when the instances for P in (S) are not, the second alternative together with (N) 
is to be preferred in theorem proving for its usefulness and elegance. Cf. [113] for more on this. 



For a more detailed discussion of descente infinie from the historical and linguistic points of view 
cf. [116,§2]! 
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7 Explicit Induction 

In the 1970s, the School of Explicit Induction was formed by computer scientists working on the 
automation of inductive theorem proving. Inspired by J. Alan Robinson's resolution method [85], 
they tried to solve problems of logical inference via reduction to machine-oriented inference 
systems. Instead of implementing more advanced mathematical induction techniques, they de- 
cided to restrict the second-order Theorem of Noetherian Induction (N) (cf. § 6) and the induc- 
tive Method of Descente Infinie to first-order induction axioms and deductive first-order reason- 
ing [113, § 1.1.3]. 

Note that in these induction axioms, the subformula 

\fu<v. P{u) 

of (N) is replaced with a conjunction of instances of P{u) with predecessors of ti like in (S). The 
induction axioms of explicit induction must not contain the induction ordering <. 

Furthermore, note that although an induction axiom may take the form of a first-order instance of 
the second-order Axiom of Structural Induction (S) (cf. § 6), conceptually it is an instance of (N) 
and the whole concept of explicit induction is a child of the computer, whereas (S) was already 
applied by the ancient Greeks [1]. 

The so-called "waterfaU"-method of the pioneers of this approach [15] refines this process into 
a fascinating heuristic, and the powerful inductive theorem proving system Nqthm [15, 16] has 
shown the success of this reduction approach already a quarter of a century ago. For compre- 
hensive surveys on explicit induction cf. [105] and [20]. Cf. [1 14] for a survey on the alternative 
approaches of implicit and inductionless induction.^ 

Boyer & Moore's Nqthm [15, 16] and Bundy & Hutter's rippling^ [13, 23, 24, 49, 50, 52, 95] are 
prime examples of practically useful automation-supported theorem proving and proof planning, 
respectively. Mainly associated with the development of explicit induction systems such as 
Oyster-CI^ [18, 22], ACI^ [20], and INKA [7], there was still evidence for considerable 
improvements over the years until the end of the last century [53]. Since then, explicit induction 
has become a standard in education in the vIsriFun project [106]. Today, the application-oriented 
explicit induction system Acl2 [56] is still undergoing some minor improvements. Acl2 easily 
outperforms even a good mathematician on the typical inductive proof tasks that arise in his daily 
work or as subtasks in software verification. These methods and systems, however, do not seem 
to scale up to hard mathematical problems and program synthesis (where the computer-assisted 
inductive proof of a property of an underspecified program actually is to synthesize the recursive 
definitions of the program). We believe that there are principled reasons for this shortcoming. 
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8 Why Sticking to Explicit Induction Blocks Progress 
8.1 Flow of Information 

Apart from sociological reasonsj explicit induction blocks progress because it does not admit a 
natural flow of information in the sense that a decision can be delayed or a commitment deferred, 
until the state of the proof attempt provides sufficient information for a successful choice. Indeed, 
explicit induction unfortunately must solve the two hard tasks mentioned in § 6 (namely the Hypo- 
theses Task and the Induction-Ordering Task) already before the proof has actually started. A 
proper induction axiom must be generated without any information on the structural difficulties 
that may arise in the proof later on. For this reason, it is hard for an explicit-induction procedure 
to guess the right induction axioms for very difficult proofs in advance. 



8.2 Recursion Analysis and Induction Variables 

One of the most developed and fascinating applications of heuristic knowledge found in Artificial 
Intelligence, informatics, and computer science is recursion analysis [15]. This is a technique 
for guessing a proper induction axiom by statical analysis of the syntax of the conjecture and the 
recursive definitions. In this paper, we subsume under the notion of "classical recursion analysis" 
also its minor improvements [98, 99, 102, 103, 104]. Under the notion of "recursion analysis" 
we also subsume ripple analysis, an important extension of classical recursion analysis. 

Ripple analysis is sketched already in [21, § 7] and nicely described in [20, § 7.10]. On the 
one hand, by rejecting recursive definitions whose unfolding would block the application of the 
induction hypothesis, ripple analysis excludes some unpromising induction axioms of classical 
recursion analysis. On the other hand, by considering lemmas of a reductive character in addition 
to the actual recursive definitions, ripple analysis can find more useful induction axioms than 
classical recursion analysis. 

A requirement, however, which we put on the notion of "recursion analysis" is that it does not 
perform dynamical proof search but has a limited lookahead into the proof, typically one rewrite 
step for each term in a set of subterms that covers all occurrences of induction variables. Note 
that although "induction variable" is a technical term in recursion analysis, roughly speaking, this 
notion is also common among working mathematicians when they say that something is shown 
"by induction on y " for a variable y, for instance. 



8.3 The Hypotheses Problem 

However fascinating and highly developed recursion analysis may get, even the disciples of the 
School of Explicit Induction admit the inherent limitations of explicit induction: In [81, p. 43], 
we find not only small verification examples already showing these limits, but also the conclusion: 

Problem 8.1 ([81, p. 43]) "We claim that computing the hypotheses before the proof is not a 
solution to the problem and so the central idea for the lazy method is to postpone the generation 
of hypotheses until it is evident which hypotheses are required for the proof." 
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This "lazy method" removes only some limitations of explicit induction as compared to descente 
infinie. It focuses more on efficiency than on a clear separation of concepts, and there is no imple- 
mentation of it available anymore. The labels "lazy induction" and "lazy hypotheses generation" 
that were coined in this context are nothing but a reinvention of parts of Fermat's descente infinie 
by the explicit-induction community. 

8.4 The Induction-Ordering Problems 

Computer scientists from the School of Explicit Induction used to consider the tasks of 

• induction (i.e. the choice of an induction axiom; e.g. by recursion analysis) and 

• deduction (i.e. the rest of the proof; e.g. by standard first-order reasoning techniques or by 
rippling [13, 23, 24, 49, 50, 52, 95]) 

to be orthogonal. Working mathematicians know that this is wrong. Especially the choice of a 
proper induction ordering interacts with the several cases of a proof in such a way that a new 
proof idea tends to be in conflict with the induction ordering of the previous cases. 

• On the one hand, it is standard in explicit induction to fix induction orderings eagerly, at 
the very beginning of a proof. 

• On the other hand, fixing an induction ordering earlier than in the last steps of an induction 
proof has hardly any benefit ever: 

- For difficult proofs, this is obvious to any working mathematician. 

- For simple proofs, the simple fact that any equation has a left- and a right-hand side 
provides us with sufficient pragmatics for searching in that area of the search space 
where the smaller induction hypotheses use to be applicable; provided that the speci- 
fier has written his specifications in the standard style and the user has activated his 
lemmas for rewriting with a suitable orientation. 

Problem 8.2 Explicit induction has to commit to a fixed and unchangeable induction ordering 
eagerly, at the very beginning of an induction proof. Such a commitment comes far too early 
and is a typical cause of failure. Moreover, it is superfluous because there is hardly any heuristic 
benefit of committing to an induction ordering earlier than in the last steps of an induction proof. 

Beside the restriction of explicit induction to enforce an eager computation of induction axioms 
(i.e. induction hypotheses and the related induction orderings), explicit induction by recursion 
analysis has also another limitation: 

Problem 8.3 Computing induction axioms by recursion analysis can only result in such induc- 
tion orderings that are recombinations of orderings resulting from the recursive definitions (and 
from the currently known lemmas of a reductive character) of the related specifications. 

As a matter of fact, most of the non-trivial induction proofs do not work out with such induction 
orderings. Moreover, for the case of program synthesis, we do not want to be restricted to such 
induction orderings. Cf. [25] for an instance of this, where the quick-sort algorithm is to be 
synthesized from the requirements specification of the sorting function. 
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9 Why Descente Infinie is Promising Now 

The theoretical research paper [113] provides us with the integration of descente infinie into 
deductive calculi. It is — to our best knowledge — the first such combination in the history 
of logic, which does not encode some form of induction (as, e.g., in Gentzen's induction rule 
of [41], or by application of the second-order Theorem of Noetherian Induction (N) (cf. §6), 
or the second-order Axiom of Structural Induction (S) (cf. § 6), or by generation of first-order 
induction axioms), but actually models the mathematical process of proof search by descente 
infinie itself and directly supports it with the data structures required for a formal treatment.^ 

This integration (presented for state-of-the-art free-variable sequent and tableau calculi) is 
well-suited for an efficient interplay of human interaction and automation and combines rais- 
ing [69], explicit representation of dependence between free 7- and 5- variables (according to 
SmuUyan's classification [96]), the liberalized 5-rule, preservation of solutions, and unrestricted 
applicability of lemmas and induction hypotheses. Moreover, the integration is natural in the 
sense that it goes together well with context-improved reasoning as in [6], with modem proof 
data structures as in [9], with program synthesis as in [25], and with logical binders such as A 
and £ &c. [42, 48, 65, 112, 118]. The semantical requirements for the integration are satis- 
fied for practically all^ two-valued logics, such as clausal logic, classical first-order logic, and 
higher-order modal logic [113, Note 8]. 

When computer-assisted inductive theorem proving started in the 1970s, the induction axioms 
of explicit induction were the only known feasible formal means to integrate induction into de- 
ductive calculi. Today, however, we are in a better situation because the results of [113] provide 
us with a simple, elegant, and both machine- and human-oriented integration of descente infinie 
itself. 

The only overhead this integration requires is to add a weight term to each sequent or proof 
goal. These weight terms stay inactive until a goal is applied as an induction hypothesis. Com- 
pared to the application of a goal as lemma, this induction-hypothesis application produces an 
additional ordering subgoal, which asks us to show that the induction hypothesis is smaller in 
some well-founded ordering than the goal it is applied to. 

On a more technical level — to integrate descente infinie into a given logic calculus — we need 

1. to augment the goals (sequents) of the calculus with weight terms, 

2. to add a lemma application^^ to the calculus if not already present, 

3. to patch the lemma application of the calculus to admit induction-hypothesis application, 
which generates an additional ordering subgoal for soundness based on the weights of in- 
duction hypothesis (lemma) and goal, and 

4. to solve the ordering constraints of the induction-hypothesis applications. 

Typically, these requirements are easily satisfied, although there may be problems with calculi 
based on fixed logical frameworks. 
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10 The Fundamental Practical Advantage of 

Descente Infinie 

As difficult mathematical proofs appear to have a semantical nature to human mathematicians, 
a mathematics assistance system has to comply with natural human proof techniques and to be 
able to follow the exact order in which the human user organizes his semantical problem solving. 
Automated theorem proving works on syntactical domains, however, which tend to be different 
from the semantical ones, relatively small-scale, and comparatively limited. For instance, if re- 
cursion analysis results in a useless induction axiom, the proof fails completely. This does not 
mean that automatic search in a calculus is useless. To the contrary, an anytime sparse syntactic 
search through semantically highly redundant search spaces can be most helpful in parallel to the 
interaction of the human user. In such a parallel approach, the "hot" constraints should always 
be solved first. By ''hot" we mean constraints with solutions that are strongly indicated by the 
current state of the proof in the sense that there is a committing step toward their solution, with- 
out which the proof can hardly succeed or which makes a success much more likely. Although 
those constraints that are hot for a mechanic procedure and those that are crucial for a human 
mathematician in the construction of the proof idea will be different more often than not, man 
and machine can cooperate very well, provided that the constraints can be solved in any intended 
order and the effects communicated on the basis of a common view. Note that a step from either 
side will typically change the set of hot constraints of the other. 

We are very well aware of the fundamental difficulties and open questions that have to be 
solved for such a cooperation of man and machine. It actually cannot be denied that there seem 
to be several divergences between man and machine, especially: 

• Automation prefers fully expanded definitions while the human user prefers a concise 
representation with composite notions. 

• The higher the automatization the more difficult the analysis of a failed proof attempt for 
the human user. 

Nevertheless, we are convinced that a cooperation of man and machine on the basis of a common 
view is a realistic goal. 

Now we finally just have to mention the fundamental practical advantage of descente in- 
finie as compared to encodings of some form of induction (as, e.g., in Gentzen's induction rule 
of [41], or by application of the second-order Theorem of Noetherian Induction (N) (cf. §6), 
or the second-order Axiom of Structural Induction (S) (cf. § 6), or by generation of first-order 
induction axioms): 

The fundamental practical advantage of our integration of descente infinie is that the 
constraints of the inductive proof search can now be solved together with all other 
constraints of the whole deduction in any suitable order 

Thus, if recursion analysis shows us the proper way, we can solve the constraints in the order 
according to the heuristics of explicit induction. But any other order is also possible. And we 
may delay solving the harder constraints until the state of the proof attempt provides us with 
information sufficient for a successful choice. 
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11 Discussion 



11.1 Paradigm Shift without Sacrifice — Really? 

In blank opposition to our evaluation of descente infinie in §9 as promising, in the 1990s and 
still in the beginning of the S"" millennium, some leading scientists from the explicit-induction 
community used to claim 

(1) that descente infinie would be too complicated to be useful in practice, and 

(2) that the proper induction axioms could be computed before the actual proof search by a 
partial inspection of the proof in a specialized presentation different from the actual proof 
search with some advanced Artificial Intelligence techniques [51]. 

Claim (1) has already been falsified by the successful treatment of descente infinie in the theorem 
prover QuodLibet [8, 10, 61, 62, 66, 88, 89, 90, 91, 109, 110, 113, 119]. Although Quod- 
Lib ET does not use any induction axioms, it is competitive with the leading inductive theorem 
prover Acl2 [56], with the practically important exception that Acl2 is so efficiently imple- 
mented that it can be used for both verification and testing of software. 

We believe that also Claim (2) is wrong and that we need the freedom to solve the two hard 
tasks mentioned in § 6 (namely the Hypotheses Task and the Induction-Ordering Task) in small 
portions spread over the whole search of the actual proof. This belief was also confessed to by 
others in [58, § 4.5] and in [45, § 13.4], and there is further recent evidence for this in [91, § 8]. 
Even if Claim (2) were right and the proposed procedure feasible, it would still be an uneconomic 
procedure because there is no need to plan the induction axiom with specialized tools based on a 
special additional representation before searching for the actual proof. 

The deeper reasons behind the Claims (1) and (2) seem to be conservatism and the fear that 
the great heuristic contributions to inductive theorem proving developed within the paradigm of 
explicit induction could be lost. Although such losses are typical for paradigm shifts [63, 117], 
the fear seems to be completely unjustified in our case: 

• Theoretically, descente infinie includes explicit induction. 

• Practically, QuodLibet has shown that in our framework of descente infinie, the heuristic 
knowledge of recursion analysis in the field of explicit induction is still applicable, indis- 
pensable, and at least as useful as before. We will explain this in § 1 1.3. That also rippling 
probably stays as important as before is sketched in § 1 1.4. 
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11.2 Schism in Minds vs. Schism in Systems 

Actually, the schism between explicit induction on the one hand side and descente infinie on the 
other, never really existed in the minds of most of the leading scientists of the field, especially 
not since the year 1996 [114, §4.2]. This expertise, however, has neither been published nor 
communicated to the outside of the inner circle. Moreover — contrary to the flexibility of the 
minds — in the most powerful inductive theorem prover Acl2 [56] this schism is still manifest: 

Problem 11.1 (No Natural Flow of Information in Acl2) 

The only way to get Acl2 to use an induction ordering which is not of the kind of Problem 8.3 
is to add a recursive function / terminating over this ordering and to hint the prover to use the 
ordering of its termination proof for the eager generation of a eureka induction axiom. Note that 
the function / is typically nonsense and will be used nowhere and especially not in the theorem, 
so that the hint to use it is really necessary. 



11.3 The Role of Recursion Analysis in Descente Infinie 

The cases where eager induction-hypotheses generation is needed to guide the proof into the 
right direction (cf. e.g. [113, §3.3]) are so rare in practice that the current standard induction 
heuristic of the descente infinie system QuodLibet [10, 88] generates induction hypotheses only 
lazily, whereas the case splits for the induction variables are done eagerly right at the beginning 
(after simplification). The possibility to be lazy even simplifies recursion analysis when different 
induction schemes are in conflict, because we do not have to merge them completely: Compare 
[61, § 8.3] with the complicated problems of [103, 104]! 

Nevertheless, recursion analysis plays an important role also in QuodLibet and in descente in- 
finie in general. Even without generating induction hypotheses and the induction ordering eagerly, 
the case analysis suggested by recursion analysis is of great heuristic value. Indeed, nothing is 
more helpful than to know how to start the proof of a conjecture (after simplification). The recur- 
sion analysis in descente infinie is most useful for solving the following task of case analysis: 
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(Task of Case Analysis on Induction Variables) 

Which outermost universal variables of the (simplified) conjecture to are to be used as 
induction variables, and which lemmas are to be used for the case analysis on the structure 
of the induction variables? For instance, which lemmas of the following form are to be 
chosen for our induction variables m : nat and / : list(nat) for a natural number and a list 
of natural numbers, respectively? 

m = V 3n : nat. (m = s(n)) 



l — nW V 3n : nat. 3k : list(nat). = cons(n, A;)) 

/ = nil V 3n : nat. 3/c : list(nat). (/ = append(A;, cons(n, nil))) 

Note, however, that this task is most critical for explicit induction, because the eager induction- 
hypotheses generation fixes the result of this case analysis and makes a later adjustment impossi- 
ble. In descente infinie, however, this task is non-critical because it serves only as a heuristic hint 
on how to start proof search. This is shown in the following example. 

Example 11.2 

Consider the toy example of the even-predicate on natural numbers in the clause 

Even(x + 2;), -iEven(a; + ?/), -iEven(j/ + z). 

When recursion analysis based on s{v) +w = s{v + w) suggests a base case of x=Q and a 
step case of x=s{x'), the proof by descente infinie may well go on with a case distinction on 
x'—Q and x'—s{x") and actually proceed by the two base cases of x—Q and x=s(0) and a step 
case of a:=s(s(x")). This, however, is not possible for explicit induction based on any form of 
recursion analysis. Note that the three cases of y=0, 2=0, and y=s{y') A z=s{z') provide yet 
another way for descente infinie to extend the proof attempt into a successful proof. 
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11.4 Rippling and Descente Infinie 

Although QuodLibet does not implement rippling [13, 23, 24, 49, 50, 52, 95] yet (but applies a 
less syntactically restricted search by a refined contextual rewriting with markings [90, 91]), we 
expect that the restrictions of the search space introduced by rippling can be more useful in the 
less restrictive framework of descente infinie than in the more restrictive framework of explicit 
induction. 

When induction hypotheses are not generated eagerly, "creational rippling" [23] or "blowing up 
of terms" [51, 52] are not required. Instead, the induction variables occur as additional sinks 
in the induction conclusion. On the one hand, this makes rippling technically and intuitively 
simpler (esp. for destructor style recursion) and better suited for human-computer interaction. On 
the other hand, however, the induction variables in the conclusion must be somehow limited in 
their character of being a sink: Unless we limit these sinks to swallow wave fronts consisting of 
destructors, we will have difficulties in finding a well-founded induction ordering justifying the 
induction-hypothesis application. 



11.5 Further Historical Limitations in Explicit Induction 

Beside overcoming the must of generating induction axioms, it should be noted that QuodLibet 
has some additional advantages over classical explicit-induction systems: 

• The strong admissibility restrictions of explicit induction systems (i.e. specification only by 
functional programs, requiring their completeness and termination proofs in advance) have 
shown to superfluous [10, 62, 119, 120]. 

Indeed, QuodLibet requires neither termination nor completeness of specification for 
the definitional parts of its specifications. Nevertheless, the definitional parts come with a 
guarantee on consistency and are used for recursion analysis and other special heuristics. 
Thus, overspecification can be avoided and stepwise refinement of specifications becomes 
possible, with a guaranteed monotonicity of validity [120]. 

This is of practical relevance in applications. For instance, in [66], Bemd Lochner (who is 
not a developer but a user of QuodLibet) writes: 

"The translation into the input language of the inductive theorem prover QUOD- 
LIBET was straightforward. We later realized that this is difficult or impossible 
with several other inductive provers as these have problems with mutual recur- 
sive functions and partiality" . . . 



20 



• Another advantage compared to Acl2 with its poor user interface and its restriction to a 
complete reset after failure is the following: When automation fails, QuodLibet typically 

stops early and presents the state of the proof attempt in a human-oriented form, whereas 
everything is lost (and only some of the developers may know what to do) when explicit 
induction generates a useless induction axiom (cf. Problem 1 1.1 in § 1 1.2). 



11.6 Conclusion 



Those researchers of the explicit induction community who realized what a strong restriction it 
is to fix the induction axiom before the actual induction proofs starts — the most important be- 
ing [81, 82], [45], and [25] — always suffered from the wish to synthesize induction axioms. 
The same holds for the synthesis of simple recursive programs from their inductive soundness 
proofs [51, 58] and the more general task of instantiating meta- variables of the input theorem, 
where they also make sense as placeholders for concrete bounds and side conditions of the theo- 
rem which only a proof can tell. Indeed, the force to commit to a fixed induction axiom eagerly 
is only acceptable for simple proofs or simple theorems without meta-variables. 

All in all, we have listed powerful arguments in §§ 9 and 10 and rebutted perceivable counterar- 
guments in this § 11. 



21 



12 Conclusion 



12.1 Human-Orientedness 

As explained in § 3.2, completely automated black-box theorem proving is approaching its con- 
ceptual limits. Significant future progress requires a paradigm different from the artificial-intelligence 
exploration of the huge search spaces of machine-oriented misanthropic calculi. Human-oriented 
theorem proving and human-oriented calculi provide the only known alternative and have been 
gaining more and more acceptance within the last dozen years. The major tasks in the intended 
advanced form of human-computer interaction are 

• the further development of interface notions following both hidden human cognitive con- 
cepts and the needs for powerful automation support, and 

• the further improvement of the exploitation of the semantical information for the syntactical 
search processes. 

The basic paradigm of interaction must be an anytime search process that knows about the hu- 
mans' semantical strength and asks the human users for advice in their area of competence before 
getting lost in complexity. With a human-oriented main-stream integration following this para- 
digm, we can make man and machine a winning team. 



12.2 Descente Infinie 

Induction axioms were never necessary for the working mathematicians and are not anymore 
necessary in formalized mathematics or automated theorem proving due to [1 13]. It now suffices 
to solve the two hard tasks mentioned in § 6 (namely the Hypotheses Task and the Induction- 
Ordering Task) in mathematics as well as in automated theorem proving. 

There is no need to make the generation of induction axioms more flexible, because we are in 
the lucky situation that we can have the cake and eat it: Indeed, we can remove the restrictions 
induction axioms put on us and improve the usefulness of the heuristic knowledge developed 
within the paradigm of explicit induction. 

When recursion analysis or eager induction-hypotheses generation show us the way, we can 
take it. When they do not, we do not have to care for them. We do not have to find a way to walk 
out of the maze of explicit induction. We can fly over it. 

When a proof is completed, we can read out of it what the induction axioms would have been. 

As we do not need any induction axioms, however, we do not have to care at all whether our 
induction axioms should be destructor style or constructor style or whatever mixed styles one 
could imagine. 

Moreover, note that — as discussed in Example 1 1 .2 of § 1 1 .3 — the case analysis suggested 
by recursion analysis is critical for explicit induction, but serves only as a heuristic hint on how 
to start proof search in descente infinie. 
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Beside the recursion analysis telling us how to start off and beside the termination check of 
the induction ordering typically in the end, we do not need any special procedures for induction. 
Induction-hypothesis application is just a lemma application generating an additional ordering 
subgoal. 

Descente infinie and explicit induction do not differ in the task (establishing inductive va- 
lidity [120]) but in the way the proof search is organized. For simple proofs there is always a 
straightforward translation between the two. The difference becomes obvious only for proofs of 
difficult theorems. 

The results of [113] on how to combine state-of-the-art deduction with descente infinie glo- 
bally without induction axioms were not available when explicit induction started in the 1970s. 
But now that we know how to do it, sticking to explicit induction as a must is scientifically back- 
ward. Descente infinie anyway admits a simulation of explicit induction that can profit from all 
the heuristics gathered in this field with the additional advantages 

• that — contrary to explicit induction [15, 103, 104] — conflicting induction axioms do 

not have to be combined completely (because the major heuristic achievement of recursion 
analysis is to tell which variables to start induction with, cf. Example 1 1.2 of § 11.3), and 

• that the induction ordering may stay open until the very end when all cases of the proof are 
known (because an earlier fixing of the induction ordering is hardly of any heuristic benefit 
ever). 

Both items are of great practical effect [88, 91]. 



12.3 Summary 

While the heuristics developed within the paradigm of explicit induction remain the 
method of choice for routine tasks, explicit induction is an obstacle to progress in 
program synthesis and in the automation of difficult proofs, where the proper induc- 
tion axioms cannot be completely guessed in advance. Shifting to the paradigm of 
descente infinie overcomes this obstacle without sacrificing previous achievements. 
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Notes 

Note 1 For instance, the basic paradigm of the human-oriented automated inductive theorem 
prover QuodLibet [10] is the following: The working mathematician can feed the machine 
with his semantical knowledge of the domain by stating lemmas, and the machine can use these 
lemmas for sparse but deep proof search [88, 89, 90, 91]. When this search fails, the graphical user 
interface presents a not too deep state of the proof where progress stopped to the mathematician in 
a carefully designed human-oriented calculus [10, 61, 110] who may provide help with additional 
lemmas and other hints. It should be remarked, however, that the practical implementation of this 
paradigm is still more a task than an achievement. Cf. § 10 for more on this. 

Note 2 

• The Oyster-CI^ system [18, 22] has to solve the very hard task of constructing proofs in 
the intuitionistic Martin-Lof type theory of OYSTER, whereas the vast majority of mathe- 
maticians and ATP engineers would use transformations such as the one to the modal logic 
S4 [44, 34, 101] to prove intuitionistic theorems. 

• Proof planning in the old fiMEGA system [93] severely suffers from its commonplace natu- 
ral deduction calculus, because it exports low-level tasks to higher levels of abstraction; 
these low-level tasks have turned out to be most problematic in practice because they can 
neither be ignored nor properly treated on the higher levels. 

• The ACI^ system [20] does not have any fixed logic level at all. 



Note 3 (Teaching Proof Search Procedures in Mathematics Lectures) 

In the best lecture course I ever attended, every lecture an emeritus professor came into the lecture 
hall and asked what he is expected to teach here. "Analysis II!" "Do you know the theorem of so- 
and-so?" "What is that?" ". . . " "No, we do not know that!" Then the emeritus gave a precise (but 
often incomplete) statement of the theorem, discussed it, and (after the students had a clear idea 
on the meaning of the theorem!) started proof search. In the lecture 1 learned most, he presented a 
proof that failed three times and was finally finished successfully overtime, not before patching the 
theorem. But this seems to be the best universities can give to their mathematics students today. 
(The missing systematics they had better learn from textbooks.) An apprentice is explained the 
easy procedures and shown the hard ones. Then, as we do not explain proof search to our students, 
it is probably one of the hard ones. Nevertheless, I do hope we will be able to do this some time. 
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Note 4 (Proof -Theoretical Peculiarities of Mathematical Induction) 

The following often mentioned (cf. e.g. [20, § 5]) proof-theoretical peculiarities of mathema- 
tical induction do not really have a special practical effect on inductive theorem proving, simply 
because efficency problems cause the same effects already for the case of deductive theorem 
proving: 

• As the theory of arithmetic is not enumerable ([43, 44]), completeness of a calculus w.r.t. 
the standard notion of validity cannot be achieved. 

In practice, however, it does not matter whether our proof attempt fails because our theorem 
will not be enumerated ever or will not be enumerated before doomsday. 

• By Gentzen's Hauptsatz on Cut elimination [40] there is no need to invent new formulas in 
a proof of a deductive theorem. Indeed, such a proof can be restricted to "sub"-formulas of 
the theorem under consideration. In contrast to lemma application (i.e. Cut) in a deductive 
proof tree, the application of induction hypotheses and lemmas inside an inductive reason- 
ing cycle cannot generally be eliminated in the sense that the sub-formula property could be 
obtained, cf. [59]. Thus, for inductive theorem proving, "creativity" cannot be restricted to 
finding just the proper instances, but may require the invention of new lemmas and notions. 

Again, in practice, however, it does not matter whether we have to extend our proof search 
to additional lemmas and notions for principled reasons or for tractability [11]. 



Note 5 (Implicit and Inductionless Induction) 

Alternative approaches to automation of mathematical induction evolved from the Knuth-Bendix 
Completion Procedure and were summarized in the School of Implicit Induction, which comprises 
Proof by Consistency (Inductionless Induction), descente infinie and implicit induction orderings 
(term orderings). Furthermore, there is pioneering work on the combination of induction and co- 
induction; cf. e.g. [73]. While Proof by Consistency and implicit induction orderings seem to be 
of merely theoretical interest today [114], we should carefully dhimgnhh descente infinie from 
the mainstream work on explicit induction. 

Note 6 (The Idea of Rippling) 

Roughly speaking, the success in proving simple theorems by induction automatically, can be 
explained as follows: If we look upon the task of proving a simple theorem as reducing it to a 
tautology, then we have more heuristic guidance when we know that we probably have to do it 
by mathematical induction: Tautologies are to be found everywhere, but the induction hypothesis 
we are going to apply can restrict the search space tremendously. 

In a famous cartoon of Alan Bundy's, the original theorem is symbolized as a zigzagged 
mountain scape and the reduced theorem after the unfolding of recursive operators as a lake with 
ripples. Instead of searching for an arbitrary tautology, we know that we have to get rid of the 
ripples to be able to apply an instance of the theorem as induction hypothesis, as mirrored by the 
calm surface of the lake. 
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Note 7 (The Sociological Aspect of Explicit Induction as Normal Science) 

Another way in that explicit induction blocks scientific progress is a sociological one. The heuris- 
tics to generate induction axioms in explicit induction have hardly changed since the end of the 
1970s. Some minor conceptual improvements (such as [103, 104], e.g.) have turned out to be 
contra-productive in the practical context of a highly optimized "waterfall", because later phases 
were already optimized to patch the weaknesses of the previous ones. With all the men-power 
that went into explicit induction systems such as INKA [7] or Acl2 [56], these systems have be- 
come so well-tuned to all simple standard problems that it is hardly possible to demonstrate their 
shortcomings to referees within the time they are willing to spend on the subject. 

Beside that, to become competitive with Acl2 requires a common effort and years of work 
with little chance for economic support or academic funding, approval, or rewards. In spite of 
this, mainly due to the idealism of Ulrich Kiihler and Tobias Schmidt-Samoa and a bunch of 
their students, descente infinie in QuodLibet [10] — as explained in §§ 9 and 11 — has already 
by now been able to outperform the formerly well-funded normal-science [63, 117] School of 
Explicit Induction. 

Note 8 (On the Likeliness of Alternative Integrations of Descente Infinie into State-of-the- 
Art Deductive Calculi) 

This integration of descente infinie into state-of-the-art free-variable sequent and tableau calculi 
is the most important scientific contribution of my life. Since I actually have searched the whole 
conceivable space of possible combinations far beyond what is documented in [1 13], I am pretty 
sure that [113] presents not only a most elegant combination of descente infinie and state-of- 
the-art deduction (including a liberalized version ((5+) of the 5-rule), but also the only possible 
one (up to isomorphism and up to some possible variations in formalizing variable-conditions 
(cf. [Ill])) that actually models the mathematical process of proof search by descente infinie 
itself and directly supports it with the data structures required for a formal treatment and does not 
encode some form of induction (as, e.g., in Gentzen's induction rule of [41], or by application of 
the second-order Theorem of Noetherian Induction (N) (cf. § 6), or the second-order Axiom of 
Structural Induction (S) (cf. § 6), or by generation of first-order induction axioms). 

Note 9 (Semantical Requirements of [113]) 

As described in [113, § 2.1.4] all we need for the soundness of our integration of descente infinie 
into two-valued logics are the validity of 

• the well-known Substitution [Valued Lemma (as, e.g., shown for different logics in [3, Lemma 3], 
[4, Lemma 540 1(a)], [31, p. 127], [35, p. 120], and [36, Proposition 2.31]) and 

• the trivial Explicitness Lemma (i.e. the values of variables not explicitly freely occurring in 
a term or formula have no effect on the value of the term or formula, resp.) (as, e.g., shown 
for different logics in [3, Lemma 2], [4, Proposition 5400], and [36, Proposition 2.30]). 



26 



Note 10 (Lemma Application) 

Lemma application works as follows. Suppose that our proof goals consist of sequents which 
are just disjunctive lists of formulas. (This is the simplest form of a sequent that will do for all 
two-valued logics.) When a lemma , . . . , Am is a subsequent of a sequent F to be proved (i.e. 
if, for alH G {1, . . . , m}, the formula Ai is listed in F), its application closes the branch of this 
sequent {subsumption). Otherwise, the conjugates of the missing formulas Cj are added to the 
child sequents (premises), one child per missing formula. This can be seen as Cuts on Cj plus sub- 
sumption. More precisely — modulo associativity, commutativity, and idempotency — a sequent 
Ai, . . . , Ajn, Bi,. . . ,Bn can be reduced by application of the lemma Ai, . . . , Am, Ci, . . . , Cp to 
the sequents 

C\, A\^ . . . , Ajni Bi, . . . , Bfi ■ ■ ■ Cp, Ai, . . . , Afn, Bi, . . . , B^. 

In addition, roughly speaking, any time we apply a lemma, we can instantiate its free variables 
locally and arbitrarily. Cf. [113, 115] for more on this. 

Note 11 (Integration otDescente Infinie into Logical Frameworks) 

Item 4 of the enumeration in § 9 is typically no problem because we can get along with semantical 
orderings [110, Definition 13.7]. Indeed, we do not need term orderings [97] anymore as was the 
case with QuodLibet's predecessor Unicom [46]. 

Items 1, 2 and 3, however, do not seem to be easily achievable with Isabelle/HOL [70, 71], 
for instance. A logical framework (such as Isabelle [74, 75, 76]) can hardly mirror general 
mathematical activity, but only the logic calculi known at the time of its development. This makes 
progress toward human-oriented automatable calculi very difficult. As a convenient realization 
of descente infinie does not seem to be so easily possible in ISABELLE-based systems, a lot of 
additional lemmas (or else ingenious recursive specification) may be necessary as described in 
§ 1 (or else the solution) of [100]. Moreover, for the idea to support program synthesis via 
descente infinie on the lower level of inductive theorem proving for software verification (cf. our 
§ 8 and [25]), the recursion facilities of ISABELLE/HOL seem to be insufficient: Konrad Slind's 
recursion theorems [94] require termination proofs at a too early stage of development [119]. 

Note 12 (Productive Use of Failure and Patching Faulty Conjectures) 

Although, a failure of a proof is a complete one in case of a wrong induction axiom in explicit 
induction, from such a failure, we might gain some insight on the proof [55] or on the conjec- 
ture [82, 83]. And then we may start another proof with different settings. 
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